DOCSLIB.ORG

Differential and Rectangle Attacks on Reduced-Round SHACAL-1*

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Differential and Rectangle Attacks on Reduced-Round SHACAL-1* Differential and Rectangle Attacks on Reduced-Round SHACAL-1? Jiqiang Lu1??, Jongsung Kim2,3???, Nathan Keller4†, and Orr Dunkelman5‡ 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK [email protected] 2 ESAT/SCD-COSIC, Katholieke Universiteit Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium [email protected] 3 Center for Information Security Technologies(CIST), Korea University Anam Dong, Sungbuk Gu, Seoul, Korea [email protected] 4Einstein Institute of Mathematics, Hebrew University Jerusalem 91904, Israel [email protected] 5Computer Science Department, Technion Haifa 32000, Israel [email protected] Abstract. SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In this paper, we present rectangle at- tacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and also present differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in an one key attack scenario. Key words: Block cipher, SHACAL-1, Differential cryptanalysis, Am- plified boomerang attack, Rectangle attack ? A shortened version of this paper was published in Proceedings of INDOCRYPT2006 — The Seventh International Conference on Cryptography in India, Kolkata, INDIA, Rana Barua and Tanja Lange (eds), Volume of Lecture Notes in Computer Science, pp., Springer-Verlag, 2006 ?? This author as well as his work was supported by a Royal Holloway Scholarship and the European Commission under contract IST-2002-507932 (ECRYPT). ??? This author was financed by a Ph.D grant of the Katholieke Universiteit Leu- ven and by the Korea Research Foundation Grant funded by the Korean Gov- ernment(MOEHRD) (KRF-2005-213-D00077) and supported by the Concerted Re- search Action (GOA) Ambiorics 2005/11 of the Flemish Government and by the European Commission through the IST Programme under Contract IST2002507932 ECRYPT. † This author was supported by the Adams fellowship. ‡ This author was partially supported by the Israel MOD Research and Technology Unit. 1 Introduction In 2000, Handschuh and Naccache [10] proposed a 160-bit block cipher SHACAL based on the compression function of the standardized hash function SHA-1 [21]. In 2001, they proposed two versions, known as SHACAL-1 and SHACAL-2 [11], where SHACAL-1 is the same as the original SHACAL, while SHACAL-2 is a 256-bit block cipher based on the compression function of SHA-256 [22]. Both SHACAL-1 and SHACAL-2 were selected for the second phase of the NESSIE (New European Schemes for Signatures, Integrity, and Encryption) project [19]; however, in 2003, SHACAL-1 was not recommended for the NESSIE portfolio because of concerns about its key schedule, while SHACAL-2 was finally selected as one of the NESSIE finalists. Since SHACAL-1 is the compression function of SHA-1 used in encryption mode, there is much significance to investigate its security against different cryptanalytic attacks. The security of SHACAL-1 against differential cryptanalysis [2] and linear cryptanalysis [18] was first analyzed by the proposers. Subsequently, Nakahara Jr. [20] conducted a statistical evaluation of the cipher. In 2002, Kim et al. [16] presented a differential attack on the first 41 rounds of SHACAL-1 with 512 key bits and an amplified boomerang attack on the first 47 rounds of SHACAL-1 with 512 key bits, where the former attack is due to a 30-round differential char- acteristic with probability 2−138, while the latter attack is based on a 36-round amplified boomerang distinguisher (see Table 3 in Appendix A for the two dif- ferentials), which was conjectured by the authors to be the longest distinguisher (i.e., the distinguisher with the greatest number of rounds). However, in 2003, Biham et al. [5] pointed out that the step for judging whether a final candidate subkey is the right one in the amplified boomerang attacks presented in [16] is incorrect due to a flaw in the analysis on the number of wrong quartets that sat- isfy the conditions of a right quartet. They then corrected it with the fact that all the subkeys of SHACAL-1 are linearly dependent on the user key. Finally, by converting the Kim et al.’s 36-round boomerang distinguisher to a 36-round rectangle distinguisher, Biham et al. presented rectangle attacks on the first 47 rounds and two series of inner 49 rounds of SHACAL-1 with 512 key bits. These are the best cryptanalytic results on SHACAL-1 in an one key attack sce- nario, prior to the work described in this paper. Other cryptanalytic results on SHACAL-1 include the following related-key attacks, which require two or four (related) keys: In 2004, Kim et al. [15] presented a related-key rectangle attack on the first 59 rounds. In 2005, Hong et al. [12] presented a related-key rectangle attack on the first 70 rounds. Most recently, Dunkelman et al. [8] presented a related-key rectangle attack on the full 80 rounds of SHACAL-1. Amplified boomerang attack [13], rectangle attack [3], and related-key rect- angle attack [6,12,15] are all variants of the boomerang attack [23]. As a result, they share the same basic idea of using two short differentials with larger prob- abilities instead of a long differential with a smaller probability. But, different from amplified boomerang attack and rectangle attack, related-key rectangle at- tack uses related-key differentials, which requires an additional assumption that the attacker should know or can choose the specific differences between one or two pairs of unknown keys. This additional assumption makes it very difficult or even infeasible to be conducted in most cryptographic applications, though cer- tain current applications may allow for related-key attacks [1], say key-exchange protocols [14]. In this paper, we exploit some better differential characteristics than those previously known in SHACAL-1. More specifically, we exploit a 24-round differ- ential characteristic with probability 2−50 for rounds 0 to 23 such that we con- struct a 38-round rectangle distinguisher with probability 2−302.3. Based on this distinguisher, we mount rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1 with 512 key bits. We also exploit a 34-round dif- ferential characteristic with probability 2−148 for rounds 0 to 33 and a 40-round differential characteristic with probability 2−154 for rounds 30 to 69, which can be used to mount differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1 with 512 key bits, respectively. The rest of this paper is organised as follows. In the next section, we briefly describe the SHACAL-1 cipher, the amplified boomerang attack and the rectan- gle attack. In Sections 3 and 4, we present rectangle and differential attacks on the aforementioned reduced-round versions of SHACAL-1, respectively. Section 5 concludes this paper. 2 Preliminaries 2.1 The SHACAL-1 Cipher SHACAL-1 [11] uses the compression function of SHA-1 [21], where the plaintext enters the compression function as the chaining value, and the key enters the compression function as the message block. Its encryption procedure can be described as follows, 1. The 160-bit plaintext P is divided into five 32-bit words A0||B0||C0||D0||E0. 2. For i = 0 to 79: Ai+1 = Ki ROT5(Ai) fi(Bi,Ci,Di) Ei Wi, Bi+1 = Ai, Ci+1 = ROT30(Bi), Di+1 = Ci, Ei+1 = Di. 3. The ciphertext is (A80||B80||C80||D80||E80), 32 where denotes addition modulo 2 , ROTi(X) represents left rotation of X by i bits, || denotes string concatenation, Ki is the i-th round key, Wi is the i-th 1 round constant, and the function fi is defined as, f = (B&C)|(¬B&D) 0 ≤ i ≤ 19 if fi(B, C, D) = fxor = B ⊕ C ⊕ D 20 ≤ i ≤ 39, 60 ≤ i ≤ 79 fmaj = (B&C)|(B&D)|(C&D) 40 ≤ i ≤ 59 1 We note that this is the opposite to Refs. [10,11,21]; however, we decide to stick to the common notation Ki as a round subkey. where & denotes the bitwise logical AND, ⊕ denotes the bitwise logical exclu- sive OR (XOR), ¬ denotes the complement, and | represents the bitwise OR operations. The key schedule of SHACAL-1 takes as input a variable length key of up to 512 bits; Shorter keys can be used by padding them with zeros to produce a 512-bit key string, however, the proposers recommend that the key should not be shorter than 128 bits. The 512-bit user key K is divided into sixteen 32-bit words K0,K1, ··· ,K15, which are the round keys for the first 16 rounds. Each of the remaining round keys is generated as Ki = ROT1(Ki−3 ⊕Ki−8 ⊕Ki−14 ⊕Ki−16). 2.2 Amplified Boomerang and Rectangle Attacks Amplified boomerang attack treats a block cipher E : {0, 1}n ×{0, 1}k → {0, 1}n as a cascade of two sub-ciphers E = E1 ◦ E0. It assumes that there exist two differentials: one differential α → β through E0 with probability p (i.e., P r[E0(X) ⊕ E0(X∗) = β|X ⊕ X∗ = α] = p), and the other differential γ → δ through E1 with probability q (i.e., P r[E1(X) ⊕ E1(X∗) = δ|X ⊕ X∗ = γ] = q), −n/2 with p and q satisfying p · q 2 . Two pairs of plaintexts (P1,P2 = P1 ⊕ α) and (P3,P4 = P3 ⊕ α) is called a right quartet if the following three conditions hold: 0 0 0 0 C1: E (P1) ⊕ E (P2) = E (P3) ⊕ E (P4) = β; 0 0 0 0 C2: E (P1) ⊕ E (P3) = E (P2) ⊕ E (P4) = γ; 1 0 1 0 1 0 1 0 C3: E (E (P1)) ⊕ E (E (P3)) = E (E (P2)) ⊕ E (E (P4)) = δ.
Load more

Recommended publications
  • Improved Rectangle Attacks on SKINNY and CRAFT
    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • Hash Functions and the (Amplified) Boomerang Attack
    Hash Functions and the (Amplified) Boomerang Attack Antoine Joux1,3 and Thomas Peyrin2,3 1 DGA 2 France T´el´ecomR&D [email protected] 3 Universit´ede Versailles Saint-Quentin-en-Yvelines [email protected] Abstract. Since Crypto 2004, hash functions have been the target of many at- tacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanal- ysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1. Key words: hash functions, boomerang attack, SHA-1. 1 Introduction The most famous design principle for dedicated hash functions is indisputably the MD-SHA family, firstly introduced by R. Rivest with MD4 [16] in 1990 and its improved version MD5 [15] in 1991. Two years after, the NIST publishes [12] a very similar hash function, SHA-0, that will be patched [13] in 1995 to give birth to SHA-1. This family is still very active, as NIST recently proposed [14] a 256-bit new version SHA-256 in order to anticipate the potential cryptanalysis results and also to increase its security with regard to the fast growth of the computation power.
    [Show full text]
  • Boomerang Analysis Method Based on Block Cipher
    International Journal of Security and Its Application Vol.11, No.1 (2017), pp.165-178 http://dx.doi.org/10.14257/ijsia.2017.11.1.14 Boomerang Analysis Method Based on Block Cipher Fan Aiwan and Yang Zhaofeng Computer School, Pingdingshan University, Pingdingshan, 467002 Henan province, China { Fan Aiwan} [email protected] Abstract This paper fused together the related key analysis and differential analysis and did multiple rounds of attack analysis for the DES block cipher. On the basis of deep analysis of Boomerang algorithm principle, combined with the characteristics of the key arrangement of the DES block cipher, the 8 round DES attack experiment and the 9 round DES attack experiment were designed based on the Boomerang algorithm. The experimental results show that, after the design of this paper, the value of calculation complexity of DES block cipher is only 240 and the analysis performance is greatly improved by the method of Boomerang attack. Keywords: block cipher, DES, Boomerang, Computational complexity 1. Introduction With the advent of the information society, especially the extensive application of the Internet to break the traditional limitations of time and space, which brings great convenience to people. However, at the same time, a large amount of sensitive information is transmitted through the channel or computer network, especially the rapid development of e-commerce and e-government, more and more personal information such as bank accounts require strict confidentiality, how to guarantee the security of information is particularly important [1-2]. The essence of information security is to protect the information system or the information resources in the information network from various types of threats, interference and destruction, that is, to ensure the security of information [3].
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Cs 255 (Introduction to Cryptography)
    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Vmware Java JCE (Java Cryptographic Extension) Module Software Version: 2.0
    VMware, Inc. 3401 Hillview Ave Palo Alto, CA 94304, USA Tel: 877-486-9273 Email: [email protected] http://www. vmware.com VMware Java JCE (Java Cryptographic Extension) Module Software Version: 2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 0.5 Security Policy, Version 0.5 VMware Java JCE (Java Cryptographic Extension) Module TABLE OF CONTENTS 1 Introduction .................................................................................................................................................. 4 1.1 Purpose......................................................................................................................................................... 4 1.2 Reference ..................................................................................................................................................... 4 2 VMware Java JCE (Java Cryptographic Extension) Module ............................................................................ 5 2.1 Introduction .................................................................................................................................................. 5 2.1.1 VMware Java JCE (Java Cryptographic Extension) Module ...................................................................... 5 2.2 Module Specification .................................................................................................................................... 5 2.2.1 Physical Cryptographic Boundary ...........................................................................................................
    [Show full text]
  • Cryptanalysis of Selected Block Ciphers
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 Cryptanalysis of Selected Block Ciphers Alkhzaimi, Hoda A. Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Alkhzaimi, H. A. (2016). Cryptanalysis of Selected Block Ciphers. Technical University of Denmark. DTU Compute PHD-2015 No. 360 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Cryptanalysis of Selected Block Ciphers Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at the Department of Mathematics and Computer Science-COMPUTE in The Technical University of Denmark by Hoda A.Alkhzaimi December 2014 To my Sanctuary in life Bladi, Baba Zayed and My family with love Title of Thesis Cryptanalysis of Selected Block Ciphers PhD Project Supervisor Professor Lars R. Knudsen(DTU Compute, Denmark) PhD Student Hoda A.Alkhzaimi Assessment Committee Associate Professor Christian Rechberger (DTU Compute, Denmark) Professor Thomas Johansson (Lund University, Sweden) Professor Bart Preneel (Katholieke Universiteit Leuven, Belgium) Abstract The focus of this dissertation is to present cryptanalytic results on selected block ci- phers.
    [Show full text]
  • Cryptanalysis of Block Ciphers
    Cryptanalysis of Block Ciphers Jiqiang Lu Technical Report RHUL–MA–2008–19 30 July 2008 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports CRYPTANALYSIS OF BLOCK CIPHERS JIQIANG LU Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group of Royal Holloway, University of London as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jiqiang Lu July 2008 2 Acknowledgements First of all, I thank my supervisor Prof. Chris Mitchell for suggesting block cipher cryptanalysis as my research topic when I began my Ph.D. studies in September 2005. I had never done research in this challenging ¯eld before, but I soon found it to be really interesting. Every time I ¯nished a manuscript, Chris would give me detailed comments on it, both editorial and technical, which not only bene¯tted my research, but also improved my written English. Chris' comments are fantastic, and it is straightforward to follow them to make revisions. I thank my advisor Dr. Alex Dent for his constructive suggestions, although we work in very di®erent ¯elds.
    [Show full text]
  • Differential-Linear Cryptanalysis Revisited
    Differential-Linear Cryptanalysis Revisited C´elineBlondeau1 and Gregor Leander2 and Kaisa Nyberg1 1 Department of Information and Computer Science, Aalto University School of Science, Finland fceline.blondeau, [email protected] 2 Faculty of Electrical Engineering and Information Technology, Ruhr Universit¨atBochum, Germany [email protected] Abstract. Block ciphers are arguably the most widely used type of cryptographic primitives. We are not able to assess the security of a block cipher as such, but only its security against known attacks. The two main classes of attacks are linear and differential attacks and their variants. While a fundamental link between differential and linear crypt- analysis was already given in 1994 by Chabaud and Vaudenay, these at- tacks have been studied independently. Only recently, in 2013 Blondeau and Nyberg used the link to compute the probability of a differential given the correlations of many linear approximations. On the cryptana- lytical side, differential and linear attacks have been applied on different parts of the cipher and then combined to one distinguisher over the ci- pher. This method is known since 1994 when Langford and Hellman presented the first differential-linear cryptanalysis of the DES. In this paper we take the natural step and apply the theoretical link between linear and differential cryptanalysis to differential-linear cryptanalysis to develop a concise theory of this method. We give an exact expression of the bias of a differential-linear approximation in a closed form under the sole assumption that the two parts of the cipher are independent. We also show how, under a clear assumption, to approximate the bias effi- ciently, and perform experiments on it.
    [Show full text]